Good for Enterprise 8.x Security Technical Implementation Guide

V1R3 2017-12-14       U_Good_for_Enterprise_8-x_STIG_V1R3_Manual-xccdf.xml
V1R1 2014-08-18       U_Good_for_Enterprise_8.x_V1R1_Manual-xccdf.xml
Developed by Good Technology in coordination with DISA for the DoD.
Comparison
All 65
No Change 64
Updated 1
Added 0
Removed 0
V-53019 No Change
Findings ID: GOOD-00-000010 Rule ID: SV-67235r1_rule Severity: high CCI: CCI-000037

Discussion

Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system and the authority to delete any record of those changes.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role-Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and a non-privileged account.
It is recommended that the following or similar roles be supported:
1) Good Mobility Suite administrative account administrator is responsible for server installation, initial configuration, and maintenance functions.
2) Security configuration policy administrator (IA technical professional) is responsible for security configuration of the server and setting up and maintenance of mobile device security policies.
3) Device management administrator (Technical operator) is responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion.
4) Auditor (internal auditor or reviewer) is responsible for reviewing and maintaining server and mobile device audit logs.

Checks

Review the Good Mobility Suite configuration to determine if separation of administrator duties has been implemented by assigning a specific role to each administrator account. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to implement separation of administrator duties by requiring a specific role to be assigned to each administrator account.

- Launch the Good Mobile Control Web console, select the roles tab.

- Validate that administrative users are assigned to different roles based upon job function as defined by local policy.

Service Administrator - Service account super-user
Administrator - Server administrator
Helpdesk - Add/remove users
Self-service - Users take action on their own devices - DO NOT USE
V-53027 No Change
Findings ID: GOOD-00-000650 Rule ID: SV-67243r1_rule Severity: high CCI: CCI-001274

Discussion

Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficient manner. Alerting a Good Mobility Suite mitigates the potential for attacks triggering integrity failures to have further consequences to the enterprise.

Checks

Review the Good Mobility Suite configuration to determine if alerts are accepted from the mobile operating system when the mobile OS has detected integrity check failures. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite server to accept alerts from the mobile operating system when the mobile OS has detected integrity check failures.

-Good Logs are Saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to Configure required Alerts/Notification.
V-53029 No Change
Findings ID: GOOD-00-000640 Rule ID: SV-67245r1_rule Severity: high CCI: CCI-001265

Discussion

Incident response functions are intended to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is accurate and timely notification of events. Notifications can be made more efficient by the creation of notification groups containing members who would be responding to a particular alarm or event. Types of actions the Good Mobility Suite must be able to perform after a security alert include: log the alert, send email to a system administrator, wipe the managed mobile device, lock the mobile device account on the Good Mobility Suite, disable the security container, wipe the security container, and delete an unapproved application. Security alerts include any alert from the MDIS or MAM component of the Good Mobility Suite.

Checks

Review the Good Mobility Suite configuration to determine if it has the capability to perform required actions after receiving a security-related alert. Otherwise, this is a finding.

Fix

Use a Good Mobility Suite that can perform required actions after receiving security related alerts.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select a policy set to review and click on the policy
-On the left tab, select Compliance Manager under Mobile Device Management and click Add Rule
- Select the Compliance Rule
- Under Failure Action, select the appropriate action
V-53031 No Change
Findings ID: GOOD-00-000630 Rule ID: SV-67247r1_rule Severity: high CCI: CCI-001233

Discussion

Organizations are required to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and report this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). To support this requirement, an automated process or mechanism is required. This mechanism also ensures the network configuration is known for risk mitigation when known issues are found with certain versions of the operating system or applications.

Checks

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite detects and reports the version of the operating system, device drivers, and application software for managed mobile devices. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite server to detect and report the version of the operating system, device drivers, and application software for managed mobile devices.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on iOS Configuration
-Verify all checkboxes are checked on the General tab
V-53033 No Change
Findings ID: GOOD-00-000620 Rule ID: SV-67249r1_rule Severity: low CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement stated that the email client must support retrieving certificates not stored in the local trust anchor store.

Checks

Review the Good Mobility Suite server configuration to verify the mobile email client that supports retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite server to retrieve encryption certificates not stored in the local trust anchor store for S/MIME purposes.

-Launch the Good Mobile Control Web console and click on the Settings tab
-On the left side, select Secure Messaging (S/MIME)
-Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly
-Click on Save
V-53035 No Change
Findings ID: GOOD-00-000610 Rule ID: SV-67251r1_rule Severity: medium CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must validate certificates through a trusted OCSP, CRL, or SCVP.

Checks

Review the Good Mobility Suite server configuration to verify the mobile email client provides a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite server to provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP.

-Launch the Good Mobile Control Web console and click on the Settings tab
-On the left side, select Secure Messaging (S/MIME)
-Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly
-Click on Save and proceed to the Policies tab
-Select the policy set for the smart phone and select Good For Enterprise Authentication
-Verify Enable S/MIME is checked

Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
V-53037 No Change
Findings ID: GOOD-00-000600 Rule ID: SV-67253r1_rule Severity: medium CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must be able to decrypt incoming email messages.

Checks

Review the Good Mobility Suite server configuration to verify the mobile email client that provides the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite server to provide the mobile device user the capability to decrypt incoming email messages using software- or hardware-based digital certificates.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select Good For Enterprise Authentication
-Verify Enable S/MIME is checked

Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
V-53039 No Change
Findings ID: GOOD-00-000590 Rule ID: SV-67255r1_rule Severity: medium CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that the email client must be able to sign and/or encrypt outgoing messages.

Checks

Review the Good Mobility Suite server configuration to verify the mobile email client provides the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to provide the mobile device user the capability to digitally sign and encrypt outgoing email messages using software- or hardware-based digital certificates.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select Good For Enterprise Authentication
-Verify Enable S/MIME is checked

Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
V-53041 No Change
Findings ID: GOOD-00-000580 Rule ID: SV-67257r1_rule Severity: medium CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the requirement states that Smart Card/Certificate Store password caching must time out.

Checks

Review the Good Mobility Suite server configuration to verify the mobile email client sets the Smart Card or Certificate Store Password caching timeout period to 120 minutes. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to set the Smart Card or Certificate Store Password caching timeout period to 120 minutes.


-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select Good For Enterprise Authentication
-Verify Re-challenge for password every is checked and set to 120 minutes
V-53043 No Change
Findings ID: GOOD-00-000570 Rule ID: SV-67259r1_rule Severity: low CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, the CAC is the required mechanism for that protection.

Checks

Review the Good Mobility Suite server configuration to verify the mobile email client S/MIME feature is fully interoperable with DoD PKI and CAC/PIV. CAC/PIV (hard token) and PKCS#12 (soft token) certificate stores must be supported. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite email client to utilize DoD PKI and CAC/PIV.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select Good For Enterprise Authentication
-Verify Enable S/MIME is checked

Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
V-53045 No Change
Findings ID: GOOD-00-000560 Rule ID: SV-67261r1_rule Severity: medium CCI: CCI-001144

Discussion

Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case, S/MIME is the required mechanism for encryption of email.

Checks

Review the Good Mobility Suite server configuration to verify the mobile email client provides S/MIME v3 (or later version) encryption of email. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite server to provide S/MIME v3 (or later version) encryption of email.

-Launch the Good Mobile Control Web console and click on the Settings tab
-On the left side, select Secure Messaging (S/MIME)
-Verify Enable Secure Messaging (S/MIME) is checked and the LDAP and OCSP URL values are configured properly
-Click on Save and proceed to the Policies tab
-Select the policy set for the smart phone and select Good For Enterprise Authentication
-Verify Enable S/MIME is checked

Optional: To enable CAC/PIV (hard token), ensure Good Vault is selected; otherwise, soft token will be the default.
V-53047 No Change
Findings ID: GOOD-00-000550 Rule ID: SV-67263r1_rule Severity: low CCI: CCI-001090

Discussion

The contact list data elements may contain sensitive or PII information; therefore, the data elements accessed outside the security container must be limited so sensitive data is not exposed.

Checks

Review the Good Mobility Suite server configuration to determine whether the email client restricts contact list data elements transferred to the phone application. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to restrict contact list data elements transferred to the phone application.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select the Messaging tab
-Verify Enable access to Good Contacts is checked
-Click on Choose Fields to select the fields to sync - Name and Phone Number
V-53049 No Change
Findings ID: GOOD-00-000540 Rule ID: SV-67265r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.

Checks

Review the Good Mobility Suite server configuration to determine whether the capability to disable the copying of data stored inside the security container to an unsecured area outside the container has been disabled. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the copying of data stored inside the security container to an unsecured area outside the container.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select the Messaging tab
-Verify Do not allow data to be copied from the Good application is unchecked
-Select the File Handling tab and make sure Enable importing to Good only is selected
-Verify Exceptions to importing/exporting between Good and 3rd party is checked and Trust only these external applications is selected
V-53051 No Change
Findings ID: GOOD-00-000530 Rule ID: SV-67267r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores. In some cases, some applications are required for secure operation of the mobile devices controlled by the Good Mobility Suite. In these cases, the ability for users to remove the application is needed to ensure proper secure operations of the device.

Checks

Review the Good Mobility Suite server configuration to determine whether there is a list of approved applications that must be installed on the mobile device and cannot be removed by the user. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to specify a list of approved applications that must be installed on the mobile device and cannot be removed by the user.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select the Application Management tab
-Verify Required applications have been assigned under Enterprise Applications and are marked as Managed under the 'Type' field
-Click Save
V-53053 No Change
Findings ID: GOOD-00-000520 Rule ID: SV-67269r1_rule Severity: medium CCI: CCI-000370

Discussion

DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system, in most cases, can be configured to disable user access to public application stores.

Checks

Review the Good Mobility Suite server configuration to determine if the mobile device agent prohibits the download of software from a DoD non-approved source. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite mobile device agent to prohibit the download of software from a DoD non-approved source.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify Allow installing apps is unchecked
V-53055 No Change
Findings ID: GOOD-00-000510 Rule ID: SV-67271r1_rule Severity: medium CCI: CCI-000370

Discussion

The operating system must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. Preventing a user from installing unapproved applications mitigates this risk. All OS core applications, third-party applications, and carrier-installed applications must be approved. In this case, applications include any applets, browse channel apps, and icon apps.

Checks

Review the Good Mobility Suite server configuration to determine if the mobile device user is prohibited from installing unapproved applications on the mobile device. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to prohibit the mobile device user from installing unapproved applications on the mobile device.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify Allow installing apps is unchecked
V-53057 No Change
Findings ID: GOOD-00-000500 Rule ID: SV-67273r1_rule Severity: high CCI: CCI-000370

Discussion

The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.

Checks

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite application white list for managed mobile devices is set to "Deny All" by default when no applications are listed. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite application white list for managed mobile devices to "Deny All" by default when no applications are listed.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select the Compliance Manager tab
-Verify An iOS rule Exists with the 'Application Exceptions' rule type and is set to enabled
-select Edit for the iOS rule
-Verify Trust only these applications is Selected
-verify only allowed applications are added to the "Apps Selected' list
V-53059 No Change
Findings ID: GOOD-00-000490 Rule ID: SV-67275r1_rule Severity: medium CCI: CCI-000370

Discussion

The installation and execution of unauthorized software on an operating system may allow the application to obtain sensitive information or further compromise the system. If the system administrator has control over what applications are downloaded, then the system administrator can check that only known good programs are installed, which significantly mitigates the risk posed by malicious software.

Checks

Review the Good Mobility Suite server configuration to determine if the Good Mobility Suite agent prohibits the download of applications on mobile operating system devices without administrator control. If this function is not present, this is a finding.

Fix

Configure the Good Mobility Suite so the Good Mobility Suite agent is configured to prohibit the download of applications on mobile operating system devices without system administrator control.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and select the iOS Management tab
-Verify Enable iOS Configuration is checked
-select the Restrictions under iOS Management tab
-Verify Allow use of iTunes Music Store is Unchecked
V-53061 No Change
Findings ID: GOOD-00-000480 Rule ID: SV-67277r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether iOS Force encrypted backups has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to enable iOS Force encrypted backups.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Require iTunes backups to be encrypted is checked
V-53063 No Change
Findings ID: GOOD-00-000470 Rule ID: SV-67279r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow diagnostic data to be sent to Apple has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow diagnostic data to be sent to Apple.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow diagnostic data to be sent to Apple is unchecked
V-53065 No Change
Findings ID: GOOD-00-000460 Rule ID: SV-67281r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether iOS Auto-fill has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Auto-fill.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow Auto-fill is unchecked
V-53067 No Change
Findings ID: GOOD-00-000450 Rule ID: SV-67283r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from unmanaged apps in managed apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from unmanaged apps in managed apps.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow "Open In" from unmanaged to managed is unchecked
V-53069 No Change
Findings ID: GOOD-00-000440 Rule ID: SV-67285r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether iOS Allow documents from managed apps in unmanaged apps has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Allow documents from managed apps in unmanaged apps.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow "Open In" from managed to unmanaged is unchecked
V-53071 No Change
Findings ID: GOOD-00-000430 Rule ID: SV-67287r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether iOS Touch ID to unlock device has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Touch ID to unlock device.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow fingerprint unlock is unchecked
V-53073 No Change
Findings ID: GOOD-00-000420 Rule ID: SV-67289r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the iOS Today View in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS Today View in lock screen.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow lock screen Today View is unchecked
V-53075 No Change
Findings ID: GOOD-00-000410 Rule ID: SV-67291r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether iOS Airdrop has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Airdrop.

This setting can only be enforced by User-Based Enforcement.
V-53077 No Change
Findings ID: GOOD-00-000400 Rule ID: SV-67293r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the iOS notification center in lock screen has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the iOS notification center in lock screen.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow lock screen notifications view is unchecked
V-53079 No Change
Findings ID: GOOD-00-000390 Rule ID: SV-67295r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS voice dialing has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS voice dialing.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow voice dialing is unchecked
V-53081 No Change
Findings ID: GOOD-00-000380 Rule ID: SV-67297r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS Siri while the device is locked has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS Siri while the device is locked.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow Siri While device is locked is unchecked
V-53083 No Change
Findings ID: GOOD-00-000370 Rule ID: SV-67299r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS force limited ad tracking has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to enable iOS force limited ad tracking.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Force limit ad tracking is checked
V-53085 No Change
Findings ID: GOOD-00-000360 Rule ID: SV-67301r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud documents and data has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud documents and data.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow document syncing is unchecked
V-53087 No Change
Findings ID: GOOD-00-000350 Rule ID: SV-67303r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud backup has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud backup.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow iCloud backup is unchecked
V-53089 No Change
Findings ID: GOOD-00-000340 Rule ID: SV-67305r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the use of iOS iCloud keychain sync has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS iCloud keychain.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow iCloud keychain sync is unchecked
V-53091 No Change
Findings ID: GOOD-00-000330 Rule ID: SV-67307r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS photo streams.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow Photo Stream is unchecked
V-53093 No Change
Findings ID: GOOD-00-000320 Rule ID: SV-67309r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the ability to use iOS shared photo streams has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS shared photo streams.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow Shared Photo Stream is unchecked
V-53095 No Change
Findings ID: GOOD-00-000310 Rule ID: SV-67311r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the ability to take iOS screenshots has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable iOS screenshots.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify the Enable Restrictions Checkbox is checked
-Verify Allow screen capture is unchecked
V-53097 No Change
Findings ID: GOOD-00-000020 Rule ID: SV-67313r1_rule Severity: low CCI: CCI-000086

Discussion

HTML code embedded in emails can contain links to malicious sites. Requiring that all emails are viewed in plain text helps remediate phishing attempts.

Checks

Review the Good Mobility Suite configuration to determine if the mobile email server/client either blocks or converts all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device.

Verify that the following registry entry exists on servers running the Good GMM/ Good Link Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\sync] "HtmlEmail"=0
V-53099 No Change
Findings ID: GOOD-00-000030 Rule ID: SV-67315r1_rule Severity: high CCI: CCI-000136

Discussion

Good Mobility Suite auditing capability is critical for accurate forensic analysis. The ability to transfer audit logs often is necessary to quickly isolate them, protect their integrity, and analyze their contents.

Checks

Review the Good Mobility Suite mobile device account configuration to verify the audit logs can be transferred from managed mobile devices to the Good Mobility Suite. Have the system administrator show the logs of managed mobile devices on the Good Mobility Suite and whether audit logs are being transferred on request or on a period schedule. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to transfer audit logs from managed mobile devices to the Good Mobility Suite.

-Good Logs are saved in standard .log format. The Default location for these logs are in the Good install directory (C:/Program Files (x86)/Good Technology/Good Mobile Control) Log Directory. This allows data to be consumed by any third-party SYSLog tool. Please refer to Third-Party Documentation to configure required Alerts/Notification.

- To Enable Good Mobile Messaging Server Diagnostic Logging, the following 3 Registry entries must be configured as String Values.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\diagnostics

"cachesize" = 0

"encrypt" = 0

"expand" = 1
V-53101 No Change
Findings ID: GOOD-00-000040 Rule ID: SV-67317r1_rule Severity: low CCI: CCI-000185

Discussion

If the user is aware that the revocation status of a certificate could not be verified, the user is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can use revoked certificates without detection.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client notifies the user if it cannot verify the revocation status of the certificate. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53103 No Change
Findings ID: GOOD-00-000050 Rule ID: SV-67319r1_rule Severity: low CCI: CCI-000185

Discussion

When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status. Otherwise, there is the potential that it is accepting the credentials of an unauthorized system. Allowing the operating system or user to deny certificates with unverified revocation status mitigates the risk associated with the acceptance of such certificates.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53105 No Change
Findings ID: GOOD-00-000060 Rule ID: SV-67321r1_rule Severity: medium CCI: CCI-000185

Discussion

If the user is aware that a certificate has been issued from an untrusted certificate authority, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate issued from an untrusted certificate authority. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to alert the user if it receives a public-key certificate issued from an untrusted certificate authority.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53107 No Change
Findings ID: GOOD-00-000070 Rule ID: SV-67323r1_rule Severity: medium CCI: CCI-000185

Discussion

When the operating system accepts the use of certificates issued from untrusted certificate authorities, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of a certificate if it was issued by an untrusted certificate authority.

Checks

Review the Good Mobility Suite configuration to verify the email client provides users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to provide users with the option to deny acceptance of a certificate when the certificate was issued by an untrusted certificate authority.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53109 No Change
Findings ID: GOOD-00-000080 Rule ID: SV-67325r1_rule Severity: medium CCI: CCI-000185

Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an invalid public-key certificate. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to alert the user if it receives an invalid public-key certificate.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53111 No Change
Findings ID: GOOD-00-000090 Rule ID: SV-67327r1_rule Severity: medium CCI: CCI-000185

Discussion

When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.

Checks

Review the Good Mobility Suite configuration to verify the email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is invalid.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53113 No Change
Findings ID: GOOD-00-000100 Rule ID: SV-67329r1_rule Severity: low CCI: CCI-000185

Discussion

If the operating system does not verify the authenticity of revocation information, there is the potential that an authorized system is providing false information. Acceptance of the false information could result in the installation of unauthorized software or connection to rogue networks, depending on the use for which the certificate is intended. Verifying the authenticity of revocation information mitigates this risk.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client does not accept certificate revocation information without verifying its authenticity. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to not accept certificate revocation information without verifying its authenticity.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53115 No Change
Findings ID: GOOD-00-000110 Rule ID: SV-67331r1_rule Severity: low CCI: CCI-000185

Discussion

If an adversary is able to compromise one of the certificates in the certificate chain, the adversary may be able to sign lower-level certificates in the chain. This would enable the adversary to masquerade as other users or systems. By providing the mobile user with such false assurance, the adversary may be able obtain DoD information, capture authentication credentials, and perform other unauthorized functions. Verifying all digital certificates in the chain mitigates this risk.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite verifies all digital certificates in the certificate chain (user, intermediate, and root) when performing PKI transactions.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53117 No Change
Findings ID: GOOD-00-000120 Rule ID: SV-67333r1_rule Severity: medium CCI: CCI-000185

Discussion

When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate is unverified.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53125 No Change
Findings ID: GOOD-00-000130 Rule ID: SV-67341r1_rule Severity: medium CCI: CCI-000185

Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives a public-key certificate with a non-FIPS approved algorithm. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to alert the user if it receives a public-key certificate with a non-FIPS approved algorithm.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53127 No Change
Findings ID: GOOD-00-000140 Rule ID: SV-67343r1_rule Severity: medium CCI: CCI-000185

Discussion

When the operating system accepts the use of invalid certificates, there is the potential that the system or object presenting the certificate is malicious and can compromise sensitive information or system integrity. When additional assurance is required, the system must deny acceptance of invalid certificates.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines that the certificate uses a non-FIPS approved algorithm.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53129 No Change
Findings ID: GOOD-00-000170 Rule ID: SV-67345r1_rule Severity: medium CCI: CCI-000185

Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if it receives an unverified public-key certificate. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to alert the user if it receives an unverified public-key certificate.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53133 No Change
Findings ID: GOOD-00-000180 Rule ID: SV-67349r1_rule Severity: medium CCI: CCI-000370

Discussion

Without a Data Wipe capability, the data on the mobile device can be compromised in the event of a lost or stolen device.

Checks

Review the Good Mobility Suite configuration to determine whether there is administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite so it has the administrative functionality to transmit a remote data wipe command, including removable media cards, to a managed mobile device.

Enable iOS MDM Profile

1. Select each security policy iOS devices are assigned to, and, in turn, verify the required settings are in the policy. Verify the latest available version of the MDM agent is set in the compliance rule.

-Verify "Enable MDM profile" is checked.
-Verify "Enable remote full device wipe" is checked.
V-53135 No Change
Findings ID: GOOD-00-000190 Rule ID: SV-67351r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine if the minimum password length for the device unlock password is at least 4 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite server policy rule to enable a device unlock password with a minimum length of 4 characters.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Passcode Tab
-Verify require passcode is checked and minimum length is set to 4
V-53137 No Change
Findings ID: GOOD-00-000200 Rule ID: SV-67353r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout to 15 minutes.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Passcode Tab
-Verify Auto-lock is checked and set to the appropriate value
V-53143 No Change
Findings ID: GOOD-00-000210 Rule ID: SV-67359r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the device inactivity timeout grace period is set to be immediate. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite server policy rule to set the device inactivity timeout grace period to be immediate.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Passcode Tab
-Verify Grace Period checkbox is checked and its dropdown menu set to Immediate
V-53145 No Change
Findings ID: GOOD-00-000220 Rule ID: SV-67361r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the mobile device user's access to an application store or repository has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite server policy rule to disable the mobile device user's access to an application store or repository.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Restrictions Tab
-Verify Allow installing apps is unchecked and set to the appropriate value
V-53149 No Change
Findings ID: GOOD-00-000230 Rule ID: SV-67365r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether access to specific web sites has been blocked. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite server policy rule to block access to specific web sites.

-Launch the Good Mobile Control Web console and click on the Settings tab
-On the left tab, select Good Mobile Access (Secure Browser)
-Populate the Approved DoD Proxy settings applicable to your Network
-Click on Policies Tab
-Select the policy set for the smart phone and click on Good Mobile Access (Secure Browser)
-Check Enable access to the Intranet, click on Edit and add routeall.gmm.good, click ok and click Save.

At this point the Secure Browser will utilize your DoD proxy settings.
V-53153 Updated
Findings ID: GOOD-00-000240 Rule ID: SV-67369r12_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.
The warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored: "I've read & consent to terms in IS user agreement." (Wording must be exactly as specified.)

Checks

Review the Good Mobility Suite server policy configuration to determine the display of a warning banner on the mobile device is being forced. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite server policy rule to force the display of a warning banner on the mobile device.

-Create a Notepad text file, and enter the following and then save as disclaimer.xml (DO NOT DEVIATE FROM BELOW CONTENT) :
<disclaimer>
<dtext value="I've read &
amp consent to terms in IS user agreem't."/>
</disclaimer>
-Launch the Good Mobile Control Web console and click on the Policies tab
-Select a policy set to review and click on the policy
-On the left tab, select Compliance Manager and click Add Rule
-Select iOS as the Rule Platform
- Under Check to run select custom
- Enter a Name and Description for your Rule
- Under Perform Checks select Rule file and upload your Disclaimer.xml
- Click Okay to save the rule to compliance manger
- Select the newly created rule and click enable
- Click Save to save the Policy
V-53155 No Change
Findings ID: GOOD-00-000250 Rule ID: SV-67371r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the number of incorrect password attempts before a data wipe procedure is initiated is set to 10. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite server policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated to 10.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Passcode Tab
-Verify Maximum Failed Attempts checkbox is checked and its dropdown menu set to a value of 10 or less
V-53157 No Change
Findings ID: GOOD-00-000260 Rule ID: SV-67373r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether a Good Mobility Suite Agent password has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to enable a Good Mobility Suite Agent password.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Password-protected (with or without soft token and S/MIME) is selected
V-53161 No Change
Findings ID: GOOD-00-000270 Rule ID: SV-67377r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent password is at least 6 characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to set the minimum Good Mobility Suite agent password length of six or more characters.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Require minimum length is checked and is set to 6 characters
V-53163 No Change
Findings ID: GOOD-00-000280 Rule ID: SV-67379r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the Good Mobility Suite agent inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to set the Good Mobility Suite agent inactivity timeout to 15 minutes.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Require password when idle for is checked and is set to 15 minutes
V-53165 No Change
Findings ID: GOOD-00-000290 Rule ID: SV-67381r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the automatic removal of the iOS configuration profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the automatic removal of the iOS configuration profile.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the General Tab
-Verify Automatically Remove Profile is set to Never
V-53167 No Change
Findings ID: GOOD-00-000300 Rule ID: SV-67383r1_rule Severity: medium CCI: CCI-000370

Discussion

Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of a Good Mobility Suite allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately.

Checks

Review the Good Mobility Suite server policy configuration to determine whether the use of simple values within the iOS Good Mobility Server agent password has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.

Fix

Configure the centrally managed Good Mobility Suite security policy rule to disable the use of simple values within the iOS Good Mobility Server agent password.

-Launch the Good Mobile Control Web console and click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-On the left tab, select iOS Configuration and select the Passcode Tab
-Verify Allow Simple Value is unchecked
V-53251 No Change
Findings ID: GOOD-00-000150 Rule ID: SV-67467r1_rule Severity: medium CCI: CCI-000185

Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client alerts the user if the certificate uses an unverified CRL. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to alert the user if the certificate uses an unverified CRL.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked
V-53253 No Change
Findings ID: GOOD-00-000160 Rule ID: SV-67469r1_rule Severity: medium CCI: CCI-000185

Discussion

If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system.

Checks

Review the Good Mobility Suite configuration to verify the mobile email client gives the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified. Otherwise, this is a finding.

Fix

Configure the Good Mobility Suite to give the user the option to deny acceptance of a certificate if the mobile email client determines the CRL of the certificate is unverified.

-Launch the Good Mobile Control Web console, select the Settings tab, and open the Secure Messaging (S/MIME) section
-Verify Enable Secure Messaging (S/MIME) is checked
-In addition, click on the Policies tab
-Select the policy set for the smart phone and click on Good For Enterprise Authentication
-Verify Enable S/MIME is checked